Tageszusammenfassung - Montag 12-05-2014

End-of-Shift report

Timeframe: Freitag 09-05-2014 18:00 − Montag 12-05-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner

Collabtive folder SQL injection

Collabtive is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the managefile.php script using the folder parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.

http://xforce.iss.net/xforce/xfdb/93029


Cobbler kickstart value file include

Cobbler could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted URL request using the Kickstart value when creating new profiles, to specify a malicious file from the local system, which could allow the attacker to obtain sensitive information or execute arbitrary code on the vulnerable Web server.

http://xforce.iss.net/xforce/xfdb/93033


Bitcoin Miner Utilizing IRC Worm

Bitcoin miners have given a new reason for attackers to communicate en mass with infected users. IRC worms are not exactly the most hip way to communicate, but they remain effective at sending and receiving commands. I recently came across several samples which bit coin mining examples leveraging IRC. The malicious binary, once installed, queries for the network shares connected to the

http://feedproxy.google.com/~r/zscaler/research/~3/2xQ7VPxF-ms/bitcoin-miner-utilizing-irc-worm.html


strongSwan Null Pointer Dereference in Processing ID_DER_ASN1_DN ID Payloads Lets Remote Users Deny Service

A vulnerability was reported in strongSwan. A remote user can cause denial of service conditions. A remote user can send a specially crafted ID_DER_ASN1_DN ID payload to trigger a null pointer dereference and cause the target IKE service to crash.

http://www.securitytracker.com/id/1030209


G Data: Symantecs "Ende der Antivirensoftware" verunsichert Nutzer

Nicht verunsichern lassen und weiter Antivirensoftware kaufen - so lautet ein Aufruf von G Data. Symantec hatte zuvor erklärt, dass nur noch durchschnittlich 45 Prozent aller Angriffe von Antivirensoftware erkannt werden.

http://www.golem.de/news/g-data-symantecs-ende-der-antivirensoftware-verunsichert-nutzer-1405-106381-rss.html


Drupal Flag 7.x-3.5 Command Execution

Topic: Drupal Flag 7.x-3.5 Command Execution Risk: High Text:Drupal Flag 7.x-3.5 Module Vulnerability Report Author: Ubani Anthony Balogun Reported: May 07, 2014 ...

http://cxsecurity.com/issue/WLB-2014050054


Nach Heartbleed: Neues Zertifikat, alter Key

Nach dem Heartbleed-Bug haben viele Administratoren Zertifikate für TLS-Verbindungen ausgetauscht. Viele haben dabei jedoch einen fatalen Fehler begangen: Sie erstellten zwar ein neues Zertifikat, aber keinen neuen Schlüssel. (Technologie, Applikationen)

http://www.golem.de/news/nach-heartbleed-neues-zertifikat-alter-key-1405-106384-rss.html


Backdoor Xtrat Continues to Evade Detection

While reviewing recent reports scanned by ZULU, we came across a malicious report that drew our attention. It was notable as the final redirection downloaded ZIP content by accessing a PHP file on the domain www.stisanic.com. URL: hxxp://www[.]stisanic[.]com/wp-content/coblackberrycomnotasdevozdate07052014[.]php ZULUs virustotal check scored the file as higher risk. At the time 10

http://feedproxy.google.com/~r/zscaler/research/~3/OqS4L1x6ebQ/backdoor-xtrat-continues-to-evade.html


Link-shortening service Bit.ly suffers data breach

We have reason to believe that Bitly account credentials have been compromised; specifically, users' email addresses, encrypted passwords, API keys and OAuth tokens. We have no indication at this time that any accounts have been accessed without permission. We have taken steps to ensure the security of all accounts, including disconnecting all users' Facebook and Twitter accounts. All users can safely reconnect these accounts at their next login.

http://blog.bitly.com/post/85169217199/urgent-security-update-regarding-your-bitly-account


Falsche Zertifikate unterwandern HTTPS-Verbindungen

Forscher sprechen von signifikantem Teil der verschlüsselten Kommunikation - Vor allem Firewalls und Antivirensoftware verantwortlich

http://derstandard.at/1399507237936


Linux-Kernel: Root-Rechte für Nutzer

Durch einen Fehler im Linux-Kernel kann ein einfacher Nutzer Root-Rechte erlangen. Bekannt ist der Fehler schon seit gut einer Woche, aber jetzt gibt es einen öffentlichen Exploit.

http://www.golem.de/news/linux-kernel-root-rechte-fuer-nutzer-1405-106407-rss.html


Race Condition in the Linux kernel

The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196


Unbekannte bieten 33 Millionen E-Mail-Adressen feil

Das könnte die nächste Spam-Welle auslösen: Unbekannte bieten per E-Mail mehrere Millionen Mailadressen von deutschen Providern zum Kauf an. Angeblich handelt es sich um 100 Prozent gültige Adressen.

http://www.heise.de/security/meldung/Unbekannte-bieten-33-Millionen-E-Mail-Adressen-feil-2187395.html


HPSBST03038 rev.1 - HP H-series Fibre Channel Switches, Remote Disclosure of Information

A potential security vulnerability has been identified with certain HP H-series Fibre Channel Switches. This vulnerability could be exploited remotely to disclose information.

https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04277407


Bugtraq: ESA-2014-027: RSA NetWitness and RSA Security Analytics Authentication Bypass Vulnerability

RSA NetWitness and RSA Security Analytics each contain a security fix for an authentication bypass vulnerability that could potentially be exploited to compromise the affected system. When PAM for Kerberos is enabled, an attacker can authenticate to the vulnerable system with a valid user name and without specifying a password. This issue does not affect other authentication methods.

http://www.securityfocus.com/archive/1/532077